Face-off: Information security awareness and when not to reveal information

Face-off: Information security awareness and when not to reveal information

Face-off: Information security awareness and when not to reveal information

Date: Aug 09, 2010

Can the security industry learn from the Transportation Security Administration? It may seem
like an odd pairing, but both struggle with the challenges of protecting those in their care while
maintaining usability and personal privacy.

In this face-off, Hugh Thompson, Founder of People Security, and Adam Shostack, co-author of
The New School of Information Security, discuss information security awareness, how people
often reveal information they shouldn't, and whether the TSA serves as a good model of information
security.

Read the full text transcript from this video below. Please note the full transcript is
for reference only and may include limited inaccuracies. To suggest a transcript correction,
contact editor@searchsecurity.com.

Face-off: Information security awareness and when not to reveal
information

Adam Shostack: Hi, I'm Adam Shostack, and I'm here with Hugh
Thompson on the SearchSecurity.com FaceOff. And today we're going to talk about what the
information security industry can learn from the Transportation Security Administration.

Hugh Thompson: Dude, that's what we're talking
about?

Adam Shostack: That's what we're talking about.

Hugh Thompson: What the security industry can learn from the
Transportation Security, the TSA?

Adam Shostack: The TSA.

Hugh Thompson: What kind of topic is that?

Adam Shostack: The second most hated...it's a great topic.
Because I think we have a lot to learn, and I'll tell you. If you think about how people respond
when they're going through the airport.

Adam Shostack: All right. You're annoyed. They're asking you to
do strange things. You don't understand why it's there. It's different every time you come
in.

Hugh Thompson: OK.

Adam Shostack: And here's my argument. For the normal person,
interacting with information security is the same way. We make all of these weird requests. We tell
them to do stuff, like answer these secret questions. We give them different rules for how long
their password needs to be. If we had our act together, couldn't we all give them the same password
rules?

Adam Shostack: We are destroying people's ability to develop
mental models of how to be secure online.

Hugh Thompson: It's kind of interesting. I'll agree with the
model is already shattered. And actually, now that you say that, did you ever read Marcus
Jacobson's study while he was at Indiana University, about the first four digits?

Hugh Thompson: So, Marcus did this fascinating study which he
always does. And this one is are people more likely to accept the first four digits of the credit
card number as...

Adam Shostack: Which are public?

Hugh Thompson: ...well, which you're tied to the card issuer,
and the right for discover, they're the same for everybody. Are they more willing to accept the
last four digits, which are kind of unique to them, well sort of? Are they more willing to accept
that as an authentication? So, if I send you an email saying, "Hey, I'm from your bank. Here are
the last four digits of your account number, to prove that I am from your bank."

Will they act any differently if you say, "Hey, I'm from your
bank. Here are the first four digits of your account number." And what he found was very little
difference, in terms of how people respond. Now that, I think that...

Adam Shostack: But what most people don't know is the first
four digits are set by banks. They're a bank routing number, 3-8-2-3 is Amex, right?

Hugh Thompson: Well yeah, exactly. Those are known by
everybody. Well, certainly known by the attacker.

Adam Shostack: Yep.

Hugh Thompson: But what was interesting I thought about that is
that because many banks were using the last four digits, I'm sure you've gotten a bank email with
that, they're conditioning the user, to your point, to look for four digits. But not
distinguishing, "Wow, make sure you look for the last four digits. These have a very special
property, X-Y-Z, that way you don't have a one in ten thousand chance of being phished, instead of
a one in three or four chance with the first four digits." So, I can see where you're coming from,
in that we are conditioning the user not to make wise security choices.

Adam Shostack: OK. So, here's the second way.

Hugh Thompson: All right. I'm still trying to bridge to the T-.
OK, go ahead.

Adam Shostack: OK. Here's the second thing we can learn from
the TSA.

Hugh Thompson: OK. Educate me.

Adam Shostack: The TSA frustrates the heck out of just about
everyone that comes in contact with this...

Hugh Thompson: I kind of like it, man. You get to see the
people, they say hello, they take your shoes, they cart them off. It's like a
relationship.

Adam Shostack: Oh, OK.

Hugh Thompson: I don't know.

Adam Shostack: Well, you've got to get out more.

Hugh Thompson: OK, well, that's probably true, in general.
Yeah.

Adam Shostack: When people encounter the stuff that their
company information security department makes them do, or their bank, or these online sites, it
feels bizarre. They don't know why they're doing it.

Hugh Thompson: Yeah, it feels foreign.

Adam Shostack: So, not only do they not have the mental model,
but they get frustrated by it. And, while we're talking about academic work, there's a great
researcher by the name of Angela Massey at the University College of London.

Hugh Thompson: Uh huh, OK. I remember seeing her
stuff.

Adam Shostack: And she's done some work on what she calls
compliance budgets that people have a certain amount of energy they put into going through the
security work. And then, when they reach a limit, even stuff that you've asked them to do before,
they don't feel they have time to do. They feel they've done enough security stuff. And so, you've
got people who choose to drive now, instead of fly. Airline traffic is down about 20% over the last
decade.

Hugh Thompson: But do you think that's attributable to people
making decisions around personal privacy and intimacy? Dude, cutbacks, man. Economy's been
tanking.

Adam Shostack: Well...

Hugh Thompson: But do you think there's a significant portion
of those people that have made the decision for that reason?

Adam Shostack: Well, the economy's been up and down through
that time. It's not all down. But travel is. And I think a lot of...

Hugh Thompson: Would you, at the point where we are now, in
terms of what TSA does, are you at the point where you would say, "No, I'm not going to
fly."

Adam Shostack: I am actually seriously considering
it.

Hugh Thompson: Are you serious, man?

Adam Shostack: With these naked scanners that take pictures of
you?

Hugh Thompson: Yeah.

Adam Shostack: They've got to pay me better for that.

Hugh Thompson: OK, that's one way to look at it.

Adam Shostack: But seriously, it's a real intrusion. And when I
look at an international trip now, I look at all of this stuff, and say, "Can I work in two or
three different segments to this? Because I really don't want to put myself through
that."

Hugh Thompson: Yeah, I mean, it is a very serious issue. And
the balance between personal privacy and protection as a whole, I don't think we know how to
calibrate that yet. And it's interesting because that trade off is different for everybody.
So, you're at the point where you'd consider making a long drive instead of taking a
plane.

Adam Shostack: Oh no, I got there years ago.

Hugh Thompson: Oh really? OK. So, now it's...

Adam Shostack: Oh yeah. Because it used to be I could show up
at the airport, when I lived in Montreal. See, here I am giving away personal
information.

Hugh Thompson: Oh, thanks man. Reset question. Noted, duly
noted.

Adam Shostack: All right. It was about a five hour, six hour
drive from Montreal to Boston.

Hugh Thompson: Yeah.

Adam Shostack: And with the new security rules, where you had
to be at the airport two hours ahead of time, it literally became faster to drive than to fly. By
the time you factor in get to the airport, wait, fly, get a rental car on the other end. So yeah,
my fly/drive decisions are different now than they were a decade ago.

Hugh Thompson: We're in a boiling the frog kind of scenario.
Things have gotten a lot more invasive over the last couple of years, and it's interesting when
we're going to get to that boiling and breaking point. Obviously, you're a lot closer than I am to
that point. Because for me, I look at it, and I say the utility of flying is so critical to what I
do that I'm willing to teeter much further down that path. But there is going to be a point where,
for me and for everybody, we say enough is enough. But I think we've got to start asking those
questions very, very quickly.

Adam Shostack: And I think as information security
professionals, we need to ask where our users are. We need to take that lesson from the TSA and
bring it into our work.

Definition - Social engineering attacks usually take advantage of human psychology: the desire for something free, the susceptibility to distraction, or the desire to be liked or to be helpful. The social engineering attack surface is the totality of an individual or a staff’s vulnerability to trickery.

News - WebView vulnerabilities in older versions of Android are putting the majority of Android devices at risk. Google will not provide patches, forcing enterprises to determine the risk posed by unpatched Android devices.

There are Comments. Add yours.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

SearchMidmarketSecurity.com’s tutorials offer IT professionals in-depth lessons and technical advice on the hottest topics in the midmarket IT security industry. Through our tutorials we seek to provide site members with the foundational knowledge needed to deal with the increasingly challenging job of keeping their organizations secure.

Smartphone and tablet use in the enterprise can help boost productivity, improve employee satisfaction and lower costs. However, it is also fraught with risk. Expert Lisa Phifer discusses the risks and rewards of going mobile in the enterprise.